Gingerbread Ransomware

Even though Gingerbread Ransomware could have been created back in 2014, it might be still distributed to this day. Our researchers say the malicious application can encrypt various files on the computer and so make them unusable. Its name originates from the story the malware’s creators tell in the so-called ransom note. Thus, the message is not as informative as it does not explain a lot. It would seem to learn more you have to contact the malicious application’s creators. However, since the infection is quite old, we do not think you could still reach them. In any case, even if you contact the hackers they may demand you to pay an enormous amount of money for their help. This is why we advise you to ignore the note and remove Gingerbread Ransomware with the instructions placed below or a reliable antimalware tool. There might be some other ways to recover the threat’s damaged data, but we will discuss them further in the text.

Our researchers discovered the malware could have other versions, although they might be associated with different email addresses, e.g. COMODO@EXECS.COM, HELP@AUSI.COM, Heinz@oaht.com, NUMBAZA@SEZNAM.CZT, and so on. Same as the other variants, Gingerbread Ransomware should lock user’s personal data (e.g. photos, pictures, documents, etc.) with a secure cryptosystem. To be able to launch itself automatically, the threat might create an executable file called ie_updater.exe in the %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup directory. The malicious file’s title suggests it could be Internet Explorer update; such name was most likely picked on purpose so that you would not think to associate it with the infection and delete it.

After Gingerbread Ransomware encrypts your data, it may drop a picture with the ransom note. It could be a BMP file with a random name placed in the %APPDATA% and the same Startup folder we mentioned earlier. Just as we said, in the beginning, the malware’s ransom note might tell a story about a character called Gingerbread that needs the user’s help to buy an apartment. At the end of the text, the users are urged to contact the hackers through kolobocheg@аоl.com provided they want to get their files unlocked. If you were to do so, the reply letter would probably state how much you have to pay and how to transfer the ransom.

Nevertheless, as the infection is quite old and there might be a few versions of it, it is doubtful the Gingerbread Ransomware’s creators could be still able to provide you decryption tools. In fact, we do not think they would reply, so we see no point in trying to contact these people. Even if they do answer you have no guarantees, they will bother to help and yet they could convince you to pay the ransom. Without the decryption tools, you could also try various recovery tools or switch decrypted files with their copies. If you think about it, there is a good chance that at least some of your photos or other personal files are stored on cloud storages, removable media devices, social media accounts, etc. Just before you attempt any data recovery, it would be safest to get rid of the malicious application first.

The only way to eliminate the malware manually is to delete the data we mentioned in the article. To make the task less complicated, we listed the infection’s created files in the removal steps placed below the text. They will show you how to erase such data manually as well, so all you have to do is follow our provided instructions. Just keep it in mind that since there are different versions of Gingerbread Ransomware, we cannot be one hundred percent sure the provided instructions will help you erase the infection completely. Therefore, it might be a better idea to use a trustworthy security tool instead. The antimalware software would detect all data associated with the malicious application automatically and after the scan, you could immediately delete it by just clicking the provided removal button.

Get rid of Gingerbread Ransomware

Press Win+E.

Insert the following directory into the Explorer’s addressbar: %AppData%\Microsoft\Windows\Start Menu\Programs\Startup

Press Enter and look for a file titled as ie_updater.exe.

Right-click this file and select Delete.

Go to %Appdata% folder.

Check if there is another file named as ie_updater.exe, right-click it and press Delete too.

Navigate to the Desktop, Downloads, and TemporaryFiles folders.

Find the malicious file that was launched before the malware appeared, then right-click it and choose Delete.